Kaspersky Labs in Russia identified the attack as “The Mask,”
and guessed that the operation most likely comes from a
Spanish-speaking nation state, based on its advanced
characteristics and Spanish language snippets in its malware. It
targeted oil and gas companies in addition to research
organizations and activists, Wired reported.

Using complex malware, rootkit methods, and a bootkit to shield
continued activity on infected targets, The Mask pursued at least
380 victims in over two dozen countries. It sought documents,
encryption keys, data about VPN set-ups, and Adobe signing keys
that would offer operators the ability to sign a PDF document as
if they owned the key. Most of the targets were in Morocco and
Brazil, Kaspersky found.

“They are absolutely an elite APT [Advanced Persistent
Threat] group; they are one of the best that I have seen,”
Costin Raiu, director of Kaspersky’s Global Research and Analysis
Team, said Monday. “Previously in my opinion the best APT
group was the one behind Flame...these guys are better.”

APT attacks are associated with high-powered nation-state
operations, such as the aforementioned Flame and Stuxnet, created by the US and Israel to damage
Iranian nuclear centrifuges. Yet Kaspersky said there were no
signs that The Mask – named after Careto, one of the three
backdoors used, which means ‘mask’ in Spanish – was
developed by the same group. Raiu said this was the first APT
malware Kaspersky had seen that came with Spanish language script
rather than the usual Chinese.

French company Vupen, which sells exclusive zero-day exploits to
law enforcement and intelligence agencies, denied that they
supplied attackers with The Mask. Zero-day exploits are, as
defined by the Electronic Frontier Foundation, “hacking
techniques that take advantage of software vulnerabilities that
haven’t been disclosed to the developer or the public.”

In addition, Vupen was suspected based on an exploit it created
that targeted the Adobe Flash Player, which was subsequently
patched by Adobe in 2012. Kaspersky’s Raiu said they don’t know
for certain that a Vupen exploit was used by Mask operators, but
he said the code was “really, really sophisticated” and
that it’s unlikely they would have developed their own exploit.

Yet Vupen co-founder Chaouki Bekrar denied any involvement,
tweeting Monday: “Our official statement about #Mask: the
exploit is not ours, probably it was found by diffing the patch
released by Adobe after #Pwn2Own.”

Kaspersky first discovered The Mask last year when some of its
customers were subjected to an attack that sought to exploit a
vulnerability, patched long ago, within some of the company’s
security software from a previous generation.

Kaspersky said there were two designs for The Mask’s malware –
for Windows and Linux – though they said evidence shows there may
also be mobile versions for Android and iPhones/iPads.

Attacks used spear-phishing email campaigns that offered links to
webpages that would attach malware onto a machine. Some of the
malicious URLs were designed to seem like common-viewed, major
news sites in Spain, or the Guardian and The Washington Post, for
example.